-This package describes important Cygwin specific stuff concerning OpenSSH.
-
-The binary package is usually built for recent Cygwin versions and might
-not run on older versions. Please check http://cygwin.com/ for information
-about current Cygwin releases.
-
-Build instructions are at the end of the file.
-
-===========================================================================
-Important change since 3.7.1p2-2:
-
-The ssh-host-config file doesn't create the /etc/ssh_config and
-/etc/sshd_config files from builtin here-scripts anymore, but it uses
-skeleton files installed in /etc/defaults/etc.
-
-Also it now tries hard to create appropriate permissions on files.
-Same applies for ssh-user-config.
-
-After creating the sshd service with ssh-host-config, it's advisable to
-call ssh-user-config for all affected users, also already exising user
-configurations. In the latter case, file and directory permissions are
-checked and changed, if requireed to match the host configuration.
-
-Important note for Windows 2003 Server users:
----------------------------------------------
-
-2003 Server has a funny new feature. When starting services under SYSTEM
-account, these services have nearly all user rights which SYSTEM holds...
-except for the "Create a token object" right, which is needed to allow
-public key authentication :-(
-
-There's no way around this, except for creating a substitute account which
-has the appropriate privileges. Basically, this account should be member
-of the administrators group, plus it should have the following user rights:
-
- Create a token object
- Logon as a service
- Replace a process level token
- Increase Quota
-
-The ssh-host-config script asks you, if it should create such an account,
-called "sshd_server". If you say "no" here, you're on your own. Please
-follow the instruction in ssh-host-config exactly if possible. Note that
-ssh-user-config sets the permissions on 2003 Server machines dependent of
-whether a sshd_server account exists or not.
-===========================================================================
-
-===========================================================================
-Important change since 3.4p1-2:
-
-This version adds privilege separation as default setting, see
-/usr/doc/openssh/README.privsep. According to that document the
-privsep feature requires a non-privileged account called 'sshd'.
-
-The new ssh-host-config file which is part of this version asks
-to create 'sshd' as local user if you want to use privilege
-separation. If you confirm, it creates that NT user and adds
-the necessary entry to /etc/passwd.
-
-On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
-since that feature doesn't make any sense on a system which doesn't
-differ between privileged and unprivileged users.
-
-The new ssh-host-config script also adds the /var/empty directory
-needed by privilege separation. When creating the /var/empty directory
-by yourself, please note that in contrast to the README.privsep document
-the owner sshould not be "root" but the user which is running sshd. So,
-in the standard configuration this is SYSTEM. The ssh-host-config script
-chowns /var/empty accordingly.
-===========================================================================
-
-===========================================================================
-Important change since 3.0.1p1-2:
-
-This version introduces the ability to register sshd as service on
-Windows 9x/Me systems. This is done only when the options -D and/or
--d are not given.
-===========================================================================
+This package is the actual port of OpenSSH to Cygwin 1.3.
===========================================================================
Important change since 2.9p2:
If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
-
+
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
usage: ssh-host-config [OPTION]...
Options:
- --debug -d Enable shell's debug output.
- --yes -y Answer all questions with "yes" automatically.
- --no -n Answer all questions with "no" automatically.
- --cygwin -c <options> Use "options" as value for CYGWIN environment var.
- --port -p <n> sshd listens on port n.
- --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
+ --debug -d Enable shell's debug output.
+ --yes -y Answer all questions with "yes" automatically.
+ --no -n Answer all questions with "no" automatically.
+ --port -p <n> sshd listens on port n.
Additionally ssh-host-config now asks if it should install sshd as a
service when running under NT/W2K. This requires cygrunsrv installed.
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:
-ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
+sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i
Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:
- ssh 22/tcp #SSH daemon
+ sshd 22/tcp #SSH daemon
+
+===========================================================================
+The following restrictions only apply to Cygwin versions up to 1.3.1
+===========================================================================
+
+Authentication to sshd is possible in one of two ways.
+You'll have to decide before starting sshd!
+
+- If you want to authenticate via RSA and you want to login to that
+ machine to exactly one user account you can do so by running sshd
+ under that user account. You must change /etc/sshd_config
+ to contain the following:
+
+ RSAAuthentication yes
+
+ Moreover it's possible to use rhosts and/or rhosts with
+ RSA authentication by setting the following in sshd_config:
+
+ RhostsAuthentication yes
+ RhostsRSAAuthentication yes
+
+- If you want to be able to login to different user accounts you'll
+ have to start sshd under system account or any other account that
+ is able to switch user context. Note that administrators are _not_
+ able to do that by default! You'll have to give the following
+ special user rights to the user:
+ "Act as part of the operating system"
+ "Replace process level token"
+ "Increase quotas"
+ and if used via service manager
+ "Logon as a service".
+
+ The system account does of course own that user rights by default.
+
+ Unfortunately, if you choose that way, you can only logon with
+ NT password authentification and you should change
+ /etc/sshd_config to contain the following:
+
+ PasswordAuthentication yes
+ RhostsAuthentication no
+ RhostsRSAAuthentication no
+ RSAAuthentication no
+
+ However you can login to the user which has started sshd with
+ RSA authentication anyway. If you want that, change the RSA
+ authentication setting back to "yes":
+
+ RSAAuthentication yes
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
is used instead!
You may use all features of the CYGWIN=ntsec setting the same
-way as they are used by Cygwin's login(1) port:
+way as they are used by the `login' port on sources.redhat.com:
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
locuser::1104:513:John Doe,U-user,S-1-5-21-...
-Note that the CYGWIN=ntsec setting is required for public key authentication.
-
SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.
--prefix=/usr \
--sysconfdir=/etc \
- --libexecdir='$(sbindir)' \
- --localstatedir=/var \
- --datadir='$(prefix)/share' \
- --mandir='$(datadir)/man' \
- --with-tcp-wrappers
-
-If you want to create a Cygwin package, equivalent to the one
-in the Cygwin binary distribution, install like this:
-
- mkdir /tmp/cygwin-ssh
- cd $(builddir)
- make install DESTDIR=/tmp/cygwin-ssh
- cd $(srcdir)/contrib/cygwin
- make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
- cd /tmp/cygwin-ssh
- find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
-
-You must have installed the zlib, the openssl-devel and the minires-devel
-packages to be able to build OpenSSH!
+ --libexecdir='${exec_prefix}/sbin \
+ --with-pcre
+
+You must have installed the zlib, openssl and regex packages to
+be able to build OpenSSH! The `--with-pcre' option requires
+the installation of the pcre package.
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
-Corinna Vinschen
+Corinna Vinschen <vinschen@redhat.com>
Cygwin Developer
Red Hat Inc.